A continuing need exists for privacy and authentication in computer networks. The ability to properly authenticate a computer network user, for example, is one of the foremost areas of concern involved in computer network security. Various authentication schemes have been created to address computer network security needs. One scheme that has recently gained a great deal of use is the Kerberos security system, including related Kerberos protocols and software. Kerberos is a network authentication protocol that was designed to provide strong authentication for client/server applications by using secret-key cryptography. The Kerberos security system is generally utilized today as a developing standard for authenticating computer network users, because it can operate in a multi-vendor network and does not require the transmission of passwords over the computer network.
Kerberos functions as a means for authenticating users. A Kerberos software package implemented in the context of a data network (e.g., a computer network) can determine if a user is in fact a valid network user. It does not provide other security services such as audit trails. Kerberos authentication is based on “passwords” and does not involve physical location or smart cards. In order to implement Kerberos in a computer network, each computer in a network must run Kerberos software. Kerberos works by granting a “ticket,” which can then be honored by all network computers running the Kerberos protocol. Such tickets can be encrypted, so that passwords do not pass over the network in “clear text” and additionally, so that the users are not required to enter their password when accessing a different computer.
Kerberos protocols find particularly useful applications in association with the Internet, a computer network well known in the computer networking arts. Because the Internet, including many internal organization “Intranet” networks, generally operate via insecure network environments, many of the protocols utilized in the Internet (including “Intranets”) do not provide any security. Tools to “sniff” passwords off of a computer network are commonly utilized by malicious hackers. Applications, which send an unencrypted password over a computer network (e.g., Internet and/or Intranet), are very vulnerable to undesirable network intrusions.
Many computer network designers, including designers of so-called “web sites” often utilize “firewalls” to solve their network security problems. A firewall, well-known in networking and computer arts is generally a security module that protects an organization's network (e.g., an Intranet) against external threats, such as hackers, coming from another network, such as the Internet. Firewalls prevent computers or other computing devices within a particular network from communicating directly with computers or other devices external to the network and vice versa. Instead, all communications are generally routed through a proxy server outside of the organizational network, and the proxy server determines if it may be safe to let a particular message or data pass through to the network.
Unfortunately, firewalls assume that malicious hackers, for example, operate external to the computer network, which is essentially a flawed assumption. Insiders carry out many particularly egregious and damaging incidents of computer crime. Firewalls also have a significant disadvantage in that they restrict how a user is able to function within the network environment. Kerberos was thus created as a solution to these network security problems. The Kerberos protocol uses strong cryptography so that a client can prove its identity to a server (and vice versa) across an insecure network connection. After a client and server have utilized Kerberos to prove their identity, all communications thereafter can be encrypted to assure privacy and data integrity.
The present invention was created as a solution for integrating a one-time password system (e.g., CRYPTO Cards) into an institution-Wide Windows® desktop. With the advent of modern operating systems such as, for example, Windows 2000®, many operating systems have moved from proprietary-based authentication schemes to the more standard Kerberos system. Because many institutions have utilized Kerberos in UNIX environments for a number of years, many one-time passwords have been integrated into UNIX-based Kerberos protocols. A number of schemes have been considered for integrating one-time passwords with Microsoft's version of Kerberos, for example including the use of a UNIX Kerberos server, cross-realm trusts between UNIX and Microsoft® servers, modifying a Microsoft® system or server, and the replacement of end-user authentication interfaces. The present inventor has determined that all of these solutions are either technically unfeasible or too difficult to implement.
Based on the foregoing, the present inventor has concluded that a need exists for an improved method and system for authenticating users without the aforementioned drawbacks. The present inventor believes that an improved authentication scheme can be designed and implemented which involves the interception of network-level Kerberos authentication packages. Such an improved authentication scheme, including methods and systems thereof, are thus disclosed herein.